Re: [exim] some OpenSSL topics

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] some OpenSSL topics
On Tue, Oct 15, 2013 at 01:08:48PM +0200, Wolfgang Breyha wrote:

> Viktor Dukhovni wrote, on 15.10.2013 02:42:
> > On Mon, Oct 14, 2013 at 05:52:19PM +0200, Wolfgang Breyha wrote:
> >> tls_require_ciphers = ECDH:kEDH:HIGH:RC4-SHA:!PSK:!KRB5:!aNULL:!MD5:!DES
> >
> > This cipher preference is broken. Exim SHOULD NOT encourage users
> > to attempt to manually tweak OpenSSL cipherlists, even modestly
> > clueful users get this badly wrong.
>
> Exim never encouraged users to do so. Can you be a little bit more specific
> why this cipher list is "broken"? At least the output of "openssl ciphers"
> doesn't look that "broken".


- The cipher-list is not sorted by key length, weak ECDH ciphers are listed
ahead of stronger EDH or non-PFS ciphers. For example:

  ECDHE-RSA-NULL-SHA      SSLv3 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1


- The ECDH and kEDH ciphers you include are not necessarily "HIGH", and I
believe you're trying to restrict the cipherlist to just HIGH grade
ciphers plus else RC4-SHA.

- The ECDH cipher category is not the same as kEECDH (which is what you want
for PFS). It includes many non-PFS ciphers:

  $ openssl ciphers -v 'ECDH:!kEECDH:!kEDH'
  ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256)
  Mac=AEAD
  ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256)
  Mac=AEAD
  ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)
  Mac=SHA384
  ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
  Mac=SHA384
  ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
  ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
  ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
  ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
  ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128)
  Mac=AEAD
  ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128)
  Mac=AEAD
  ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)
  Mac=SHA256
  ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
  Mac=SHA256
  ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
  ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
  ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
  ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
  ECDH-RSA-NULL-SHA       SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None      Mac=SHA1
  ECDH-ECDSA-NULL-SHA     SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None      Mac=SHA1


- I could describe other problems, but the above are enough.

This cipher list is clearly the result of an incomplete understanding
of the OpenSSL cipherlist syntax. And yet you're not a novice
user. Hence my contention that the OpenSSL cipher syntax is for
OpenSSL experts only, applications should not expose it directly
to users.

[ Postfix has cipher grades (null, export, low, medium, high), users
choose one of these, and leave the underlying cipherlists alone! ]

-- 
    Viktor.